Products
Concrete CMS
- 9.0.0
- 9.0.1
- 9.0.2
- 9.0.3
- 9.0.4
- 9.0.5
- 9.0.6
- 9.0.7
- 9.0.8
- 9.0.9
- 9.1.0
- 9.1.1
- 9.1.2
- 9.1.3
- 9.1.4
- 9.2.0
- 9.2.1
- 9.2.2
- 9.2.3
- 9.3.0
- 9.3.1
- 9.3.2
- 9.3.3
Source
ff5b8ace-8b95-4078-9743-eac1ca5451de
Tags
CVE-2024-8660 details
Last Modified : Sept. 17, 2024, 7:15 p.m.
Description
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . This does not affect versions below 9.0.0 since they do not have the Top Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
References
URL | Source |
---|---|
https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes | ff5b8ace-8b95-4078-9743-eac1ca5451de |
https://github.com/concretecms/concretecms/pull/12128 | ff5b8ace-8b95-4078-9743-eac1ca5451de |